CSI Computer Forensics – Burgess Forensics True Cases #12 – Missing Computer Case

The stories are true; names and locations have been changed to protect potential culprits.

A few years ago, Debby Johnson, an attorney for a large Kansas City-based firm, contacted me about a relatively simple matter. She was to travel to offices in Sacramento from my San Francisco-area labs, copy a computer drive, and locate emails sent by plaintiff to her brothers and sisters, of whom she was nine. The case was a product liability lawsuit in the amount of tens of millions of dollars. The plaintiff alleged that his health had been harmed by a defective product from an international company, although for the moment he had no symptoms. What was the product? Let’s just say it was coffee.

From the cool Bay Area in the summer, I traveled to downtown Sacramento, where it was a balmy 106 degrees. He knew he was sweating, but inside he was cool. I was wondering if anyone else would be in trouble soon.

It’s not unusual that I never meet my client, since computers can send me to my lab, but Debby was there at the plaintiff’s attorney’s law offices. In an oak paneled conference room we met with the lawyer for “the other party” and the plaintiff himself. He sat smugly with his shiny computer at the conference table, friendly enough despite his assertion that he would never find the offensive emails he’d supposedly sent years before. My client believed that this guy had sent emails to his brothers that would disprove his claim, that would show that he was making up a case to get a few ten million.

I removed the hard drive from our man’s system to make a forensic copy for work and analysis. I was surprised to find that the hard drive was 100 GB in size. A drive of that capacity was quite new and unusual to see in a case so soon after it had been on the market. I was prepared for a much smaller drive, having been told I would see one 20% the size. Luckily, there was an electronics superstore nearby, so I took off my suit jacket, turned on the air conditioning in my minivan/lab truck (that beauty just did 200,000 miles on the day of this writing) and headed off to some of new equipment. Forty-five minutes and some melted gum later I was back on the scene to forensically clean the new drive by writing zeros to every sector.

Once clarified to my satisfaction, I set up the copy process. In those days, while I was a fan of Diskology’s Disk Jockey, the version I had then didn’t seem to be able to handle what was such a large drive for the time. I probably used Byte Back on a box of Intel Forensics that I had brought along just in case. I started the copy process and it went smoothly. But as the copy was being made, I began to wonder: wasn’t that a pretty big push to have been around at the time of the alleged emails? And for that matter, wasn’t this computer pretty fast for its age? And was Windows XP actually released before these emails were written? I was beginning to suspect that the game was rigged and that I would never find the plaintiff’s deleted emails on that computer.

I discussed the matter with Debby. I assumed that the plaintiff was right about the task being useless, because I assumed that the offending emails were never in this computer. I said I’d be willing to look them up, but I didn’t want to waste my client’s money. Debby asked me to look into the component age issue when I got back to headquarters. After some consultation with the manufacturer and a couple of Google searches, he was pretty convinced that the guy had never written those emails on this computer. Windows XP was almost too new, the drive was a couple of weeks too modern, and the computer was a month or two younger than those emails.

Debby called opposing counsel, who had no idea why this might not be the original system…until she checked with her man. It turned out that she had “put it to the curb for garbage collection” because it “wasn’t working”. The lawyers were not happy. The court was not happy. The only solution for me was to go to the nine brothers and sisters in four states to copy their personal computers and check them for the offending emails.

Do you think they were happy to hear from me? Would you be if your brother put you on the spot like that? Each of them had to agree that a perfect stranger, one who was working against his beloved brother, could enter their homes and check everything on his personal computers. The most eloquent example of his discontent was that of a brother, a former Vietnamese-era Green Beret, who, in response to my phone call asking him when would be a good time to introduce himself, said: “I didn’t spend two years marching up and down of God **m Ho Chi Minh Trail for this s**t”. Understood.

It turns out that the opposing attorney had never even gotten around to telling this group that a computer forensics guy would be calling them and they needed to cooperate. I found out when I told Debby about the just resistance I had faced. She worked it out with a lawyer and the next series of phone calls I made to the brothers was much more pleasant.

The next few days, traveling from state to state, town to town, brother to sister to brother and so on to copy the private data of nine innocent family members had its challenges. But that’s a story in itself… I’ll spare you most of the details. Upon my return, the protocol asked me to search all data for any correspondence of – let’s call him “The Brother” which references his struggles with… we call him Café. Then I was to print the references I found and send a copy to both the judge and the opposing attorney for a review of privilege and relevance. Debby and his company weren’t supposed to look at the data until something private or irrelevant had been selected, and only the rest was produced.

I found? Around the time of the supposed emails, lo and behold, I found real emails. The whole family was talking about The Brother’s fight with Coffee, their individual investigations into Coffee, and the upcoming lawsuit over Coffee. At one point, an email pointed out that this Burgess guy was going to check everyone’s email, and wouldn’t it make sense not to talk about Coffee? They agree. Now they were just talking about… “the C Word.”

What else did I find when I performed my electronic discovery and digital forensics? Well, for the most part, I just can’t talk about it. There are some things on your computer that you wouldn’t want me to talk about, I’m sure. There are things on my computer that I wouldn’t want you to talk about either! Electronic discovery often has to be a fairly private process.

But there was a particularly interesting finding. When I called Green Beret Brother (GBB) from his sister’s house on the other side of town, and asked for permission to go make the copy of his computer, he kindly told me that it was fine. When I got there, he first asked me to read and sign a statement that he would not hold him responsible for any damage to me or my equipment, inadvertent or otherwise. Well, that was a little scary coming from a guy trained in the arts of stealth, warfare, and certainly the garrote. But since the paper didn’t look like a legal document, I signed it, if that was what would allow me to do my job. It was nice enough, the music on it was good, and the copy came out without a hitch. And I made it out alive and unharmed, a bonus indeed!

Once in my lab, I found out the latest thing that had happened to his computer. About a minute after my phone call to ask for permission to review, GBB emailed itself, then promptly deleted it. The subject, in all caps, was “COFFEE!” There is no “C-Word” playing for it. The message in the body was simple and to the point: “If you find this email, FUCK YOU!” It’s nice when a person knows how he feels and is able to express it freely. There was also a deleted photo attached to the deleted email. Upon retrieving it, it turned out to be a very recent photo of an extended middle finger, presumably GBB’s finger. Visual aids are always useful to understand the topic, don’t you think?

In the end, I produced about 75 pages of documentation that I considered relevant. Of course, it had to include the GBB missive. Unsurprisingly, opposing counsel dismissed everything as irrelevant or privileged. Also unsurprisingly, the judge allowed all the documents he had filed, with several lines removed, to be served on my client. Everyone’s favorite was the literal bit produced by GBB.

As for The Brother, the court decided that not only was he not very honest, due to the destruction of the most important data in the case, his original computer, but the relevant evidence and emails showed that he was apparently not harmed by the coffee. . The case was defeated, Debby and her company were happy, and GBB became a legend.

This is just one of many “CSI* – Computer Forensics Files: Real Cases from Burgess Forensics”. Stay tuned for more hoax stories uncovered by computer forensics.

*The Free Dictionary includes over 160 definitions of CSI at acronyms.thefreedictionary.com. We chose Computer Scene Investigation.